If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.

Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.

All told poor Emily bought TWENTY $100.00 iTunes gift cards for the bad guys. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!

Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.

Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys.

Yes Emily, can you get this done ASAP? I need some couple of gift cards. There are some listed clients we are presenting the gift cards. How quickly can you arrange these gift cards because i need to send them out in less than an hour. I would provide you with the type of gift cards and amount of each.

The type of card I need is Apple iTunes gift cards. $100 denomination, I need $100 X 20 cards. You might not be able to get all in one store, you can get them from different stores. When you get the cards, Scratch out the back to reveal the card codes, and email me the codes. How soon can you get that done? Its Urgent.

End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!

I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting creative with hybrid giftcard / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!

This person is a verified professional.

Hopefully she does learn what she needs to look out for. I know it's easy for us to see the obvious signs such as poor grammar, dodgy looking email address, using a pressure tactic once hooked in, but there are some really sheltered people out there that just do not have a clue.

This person is a verified professional.

Emily has learnt a valuable lesson from this experience. I hard every use my credit card for work purchases unless I have an undertaking saying that I will be reimbursed and it has been agreed with manager and finance, which is a good safety catch.

This person is a verified professional.

This isn't 'creative' at all. It's the same old thing that's been going around for years. What they seem to be doing is getting more FOCUSED. Ones I'm seeing now have our owner's signature from his iPhone on them. It's one from a few years ago, but still a bit concerning as to how they're getting these messages.

Agree with Robert again, Emily should have known better. A quick check-up call to this executive or their assistant would have cleared things up quickly. To quote PT Barnum, "There's a sucker born every minute, and two to take him..."

They are persistent, though. My purchaser had a laugh when he replied to one, "But you were just at my desk a few minutes ago!" The reply? "That doesn't matter. I forgot to tell you when I was there. Please do this immediately!" *Shakes head*

This person is a verified professional.

Not surprised- when I worked at Apple support, we got these calls all the time. People would buy iTunes giftcards thinking they could use them for some special car deal a scammer emailed them about. Yeah, like any dealership would sell a car for iTunes giftcards. Moral of the story- don't just blindly follow, it's ok to question things!

This person is a verified professional.

Following receipt of one of these Latvian scams, I just sent a reminder email out to our whole management team that you need to check the email address on any email you receive. The half-dozen people who got one of these weren't in any danger of falling for it, but the youngest recipient did respond, and the turnaround time was FAST on the followup email! Does help that our CEO doesn't use a sig and the stilted language is another giveaway.

I can see how someone could be manipulated by the declared urgency, especially if they are new/low on the totem pole, but to have that whole process go through to completion like that is hard for me to figure.

Had this happen just last week. One of our team members received an email from our org's president. Fortunately, he then saw president at lunch and said, "***, I will get that for you after lunch," to which president responded, "what?" He was ready to go buy the gift cards.

This happened on a broader scale back during the summer when about 60 people on the same team received an email from their senior director. Thankfully, only 1 of the 60 fell for it...by the time he got back from buying the gift cards, everybody else knew it was fraudulent, and they were able to get the charges reversed. Unfortunately, the way these 60 people got sent the email was that we have a public facing web page for this particular team which has the names, phone numbers, and email addresses of all 60 team members, with the senior director's name and email address at the top...we advised that they at least hide the email addresses from this page, but the team didn't want to do that.

I have added a rule in Office 365 where if an email's "from" display name is the same as this particular senior director, but was sent from an external source, then "**POSSIBLE FRAUD** will be prepended at the top of the email...hopefully this will be a good clue to prevent it happening in the future.

This person is a verified professional.

Can't really feel too sorry for her - the from email address doesn't seem to be her company's which should have made her suspicious immediately, then when she said she'd texted the codes to him he asked her to email them.

This person is a verified professional.

A lot of it may depend on your company's culture. For me, a government organization, the idea of "Do this right away!" simply doesn't exist. Signs and counter-signs and secret code phrases - and mounds of paperwork and forms - rule the day.

I did have the payroll manager walk into my office one day and say, "I just got an email from 'you' asking me to send a list of all our employees and their SSNs. I'm assuming it wasn't you." Smart gal.

I wonder how many of our staff would obey a non-monetary request? Hey, Bill. Got a problem here. Need you to shut down all the servers ASAP! Could be crypto - don't hesitate. I will be unavailable for the next 30 minutes doing the same here.

This person is a verified professional.

Yeah company culture can play a role in helping to stop something like this.

We didn't get this one but had a CEO faker try to scam us out of $50k by saying we needed to send out a wire payment for a mysterious overdue invoice. Of course that number was too high to not get scrutinized by accounting, I wonder if it was less if it might have slipped through.

I am with the guy asking about the email address used, to me it looks like a Phishy email address though. Also the user replied to the email!?! I always teach my users don't reply make sure to send a new email and use a known good address, but not to even trust that. I had a user replying to a scammer who eventually got the user to give her email credentials! She kept thinking it was no big deal because she wasn't able to login to the scammers website, DUH! but she did fill out the form and basically gave away her credentials UGH!

We train with KnowBe4 so that user was really given a hard time as she should have known. Users need to be taught and new users almost more than most since any hacker that finds a new employee with access to money and/or the CEO/CFO will be a prime target cause they don't know the culture.

This person is a verified professional.

I am with the guy asking about the email address used, to me it looks like a Phishy email address though. Also the user replied to the email!?! I always teach my users don't reply make sure to send a new email and use a known good address, but not to even trust that. I had a user replying to a scammer who eventually got the user to give her email credentials! She kept thinking it was no big deal because she wasn't able to login to the scammers website, DUH! but she did fill out the form and basically gave away her credentials UGH!

Lower amounts get by all the time, and most don't even get reported, if they're even noticed!

That second part is the real problem. Most users just don't 'know' technology. I had a user that asked me to help her try opening a file that was Emailed to her. It was 'Invoice.scr'. I asked her if .scr was a PDF or spreadsheet format, and she just shrugged her shoulders. Not her job to know file extensions, when I tried explaining them to her, which IS kind of understandable. Same with Email addresses. Email is Email is Email...Right? What do you MEAN there are separate services and servers? It's...EMAIL! Doesn't it just work?

All the training in the world won't mean much, when users read a message that has written in bold, underlined, highlighted text, "DO NOT REPLY" several times in the body and in the subject... and the first button they hit? 'Reply To:'

Guillaume-1984 wrote:

How the scammers managed to use the boss email adress? Was it his mail, or Emily didn't noticed it wasn't her boss email adress? Just to clarify the situation...

In this particular case it was the boss' name, with a totally off-the-wall Email address (see my reply above)... but I have been seeing cases where the Email account was actually 'hacked', so the message was genuinely from it. I try to show users how to identify message patterns and such, rather than the technical details. That way they, too, can tell it's a scam just by glancing at it.

This person is a verified professional.

In this particular case it was the boss' name, with a totally off-the-wall Email address (see my reply above)... but I have been seeing cases where the Email account was actually 'hacked', so the message was genuinely from it. I try to show users how to identify message patterns and such, rather than the technical details. That way they, too, can tell it's a scam just by glancing at it.

This is a great point that is too often overlooked. A lot of phishing emails have dead giveaways like from address, bad grammar etc. but sometimes they look legit at first glance. It's just as important to pay attention to context and ask yourself 'is this a normal request?' Perfect example of the bad guys getting the user to react rather than thinking it through first.

This person is a verified professional.

Not really scam of the week as I have seen this going on for months :). It's sad that people don't even bother to look at the from address. It will be something like mrceo7@comcast.net. Many come from yahoo.jp or lycos.com as well. Lycos!

I am often tempted to take a scteen capture of the email and mark it up in red all the obvious things wrong with it because it's getting annoying how many people fall for this. Sadly this would probably shame them into not reporting it rather than learning from it.